identityjunkie.com

Idp-Initiated SSO to SalesForce.com and AD FS 2.0 in 5 minutes

2010-01-22T14:45:00.001-08:00

This post is to demonstrate how you can configure cloud-based applications for federated authentication using AD FS 2.0 RC. Basically, any service provider supporting SAML authentication via IdP-initiated SSO or SP-initiated SSO profiles. In Beta 2, Joe and I had to extend this functionality through code but AD FS 2.0 RC eliminates the need for this making it a strictly out-of-box solution.

To get this working, the only thing you’ll need is a workable ADFS 2.0 installation and rights within SalesForce.com to configure SSO. My 5 minute timeframe only factors in the actual configuration work.

SalesForce.com enables SSO at the user level by Profiles. You can create an SSO-enabled profile and test user for your test case. AD requires a valid user which will contain valid assertions (claims) which will map to profile information in SalesForce.com.

To enable SAML SSO in Salesforce.com, do the following steps:

Enable Federated single sign-on using SAML.
Specify the issuer name. For example, https://idp.identityjunkie.com/adfs/services/trust
Upload token signing certificate.
Specify the Username ID Type = Username and Location which will be within the NameIdentifier element of the SAML token.

Salesforce.com provides a SAML Assertion Validation tool you can run against their configurations. This can be extracted from ADFS using Fiddler.

On the ADFS side, create a Relying Party Trust.

There is no exchange of federated metadata, so you’d select Enter data about the relying party manually.
Assign a Display Name.
Select AD FS 2.0 profile
Specify an optional encryption certificate. This is used to encrypt the claims being sent to the RP. For this case, none was used.
You only need to enable support for the SAML 2.0 Web SSO protocol. WS-Federation is not used here. Enter the URL provided by Salesforce.com as the SAML 2.0 SSO Service URL.
Add the relying party trust identifier. This is https://saml.salesforce.com.
Define your Issuance Authorization Rules.
Configure the Claim Rules. Here you would map your issuance transform rules to Send LDAP Attributes as Claims. For example, E-Mail-Addresses > Name ID.

That’s it. As the user, the experience is to initiate the sign-on process at the IdP which is your ADFS server:

https://sts.identityjunkie.com/adfs/ls/IdpInitiatedSignOn.aspx

You can bypass the entire site selection process by using the loginToRp=federation.urn. For example: https://sts.identityjunkie.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://saml.salesforce.com

This will provide the user with an “auto-login” experience.

Append a result to a csv import

2010-01-12T23:48:00.001-08:00

Say you are using a CSV file to import changes to AD and get the import file from a non-technical source, say HR. Most likely you don't have the complete DN of the user. What you can do is create a function to return the DN of the user based on some search criteria, then append it to the result which you can pipe to another command to execute.

   1: function format-source {Param($file)   2: $a = Import-Csv $file   3: $result = New-Object PSObject   4: foreach ($i in $a)    5: {       6:     $dn = find-user $i.Username  Select-Object DN           7:     $i  Add-Member -Name "DN" -Value $dn -MemberType NoteProperty   8:     $result = $i       9: }  10:    11: $result   12:    13: }

Powershell Fun...

2010-01-12T23:08:00.001-08:00

I know the Quest cmdlets are out there and in Windows 2008 R2, you have the AD cmdlets; however, in the case you still have to do things manually, it’s good to know how to do things through PS – the long way. Here are some snippets I wrote for my current gig. This one gets the member of a user or group object. Handy if you want to quickly see what a user is a member of.

   1: function get-memberof {Param($name)   2: $filter = "(samaccountname=$name)"   3:     4: # Use global catalog to query active directory   5: $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()   6: $objDomain = [ADSI]"GC://$($dom.Name)"   7:     8: $objSearcher = New-Object System.DirectoryServices.DirectorySearcher($objDomain)   9: $objSearcher.PageSize = 1000  10: $objSearcher.Filter = $filter  11: $results = $objSearcher.FindOne()  12:    13: if($results -ne $null)  14: {  15:     foreach($i in $results)  16:     {  17:         $entry = $i.GetDirectoryEntry()          18:         $groups = $entry.memberof  19:           20:         foreach($group in $groups)  21:         {  22:             Write-Host $group                                      23:         }              24:     }          25: }  26: else  27: {  28:     $object = "object not found."  29: }  30:     return $object  31: }

Another useful snippet is the ability to update or clear user attributes. Here is use ADSI directly which I can then set which flag I want to use to depending on the operation. Below are the flags.

   1: [int] $ADS_PROPERTY_CLEAR = 1   2: [int] $ADS_PROPERTY_UPDATE = 2   3: [int] $ADS_PROPERTY_APPEND = 3   4: [int] $ADS_PROPERTY_DELETE = 2

   1: function update-user {Param($adspath,$title,$description)   2:     3: $user = [ADSI]"$adspath"   4: $user.Put("title",$title)   5: $user.Put("description",$description)   6: $user.SetInfo()       7: Write-Host "Updating object successfully."   8:     9: }

I’ve never been one to be dependent on third-party plug-ins….yes, I know Quest has cool cmdlets for this. But doing it yourself is still way cooler. Search users using System.DirectoryServices.

   1: function find-user{Param($user)   2:     3: $filter = "(&(objectclass=user)(samaccountname=$user))"   4:     5: # Specify seach domain or directly query a global catalog   6: #$dn = 'LDAP://dc=dogfood,dc=identityjunkie,dc=com'   7: #$objDomain = New-Object system.DirectoryServices.DirectoryEntry($dn)   8:     9: # Use global catalog to query active directory  10: $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()  11: $objDomain = [ADSI]"GC://$($dom.Name)"  12:    13: $objSearcher = New-Object System.DirectoryServices.DirectorySearcher($objDomain)  14: $objSearcher.PageSize = 1000  15: $objSearcher.Filter = $filter  16: $results = $objSearcher.FindOne()  17:    18: if($results -ne $null)  19: {  20:     foreach($i in $results)  21:     {  22:         $entry = $i.GetDirectoryEntry()          23:           24:         $hash = @{                  25:             ObjectCategory = $entry.objectcategory  26:             ObjectClass = $entry.objectclass              27:             DN = $entry.distinguishedname.ToString()          28:             FirstName = $entry.givenname.ToString()  29:             LastName = $entry.sn.ToString()  30:             Initials = $entry.initials.ToString()  31:             Username = $entry.samaccountname.ToString()  32:             DisplayName = $entry.displayname.ToString()  33:             Upn = $entry.userprincipalname.ToString()  34:             Email = $entry.mail.ToString()  35:             Title = $entry.title.ToString()  36:             Department = $entry.department.ToString()  37:             Description = $entry.description.ToString()  38:             EmployeeID = $entry.employeeid.ToString()  39:             UserAccountControl = $entry.useraccountcontrol.ToString()  40:         }          41:     }          42: }  43: else  44: {  45:     $hash = @{          46:          ErrLog = " $user does not exist in directory.`n"       47:         }          48: }  49:     $user = New-Object PSObject -Property $hash      50:     return $user  51: }

Note, on line 24 I’m using a hash table to build out my psObject which makes life easier in powershell 2.0.

Troubleshooting Certificate Issues

2009-12-14T11:28:00.001-08:00

For the past few days, we’ve been working on SAML 2.0 interoperability with OIOSAML and had to dig pretty deep to troubleshoot some issues we were running into. OIOSAML is an implementation of a SAML 2.0 compliant service provider for Java and J2EE applications which runs on Apache Tomcat. The issue wasn’t rocket science; however if we could not resolve it, federated authentication couldn’t be enabled for this application. The only error on the SP was:

Stack Trace:

Caused by: dk.itst.oiosaml.sp.model.validation.ValidationException: The response is not signed correctly

at com.sf.sfv4.authentication.saml2.extend.SFSAML2Response.validateResponse(SFSAML2Response.java:97)

at com.sf.sfv4.authentication.saml2.SFSAML2AssertionConsumerHandler.handleSAMLResponse(SFSAML2AssertionConsumerHandler.java:392)

... 45 more

A Google search on the error provided some possible leads to what the problem could be. However, one would immediately assume the issue was within the signing certificate due to the error. Yes, but you’d have to prove it.

When the SP consumes the SAMLResponse from an issuing IDP, the SP checks the IDP metadata file for a valid issuer; or Entity Id. This value should is stored in the local .xml of an STS within the EntityDescriptor element under the Entity ID attribute. For example, when publishing federation metadata in ADFSv2, these values are within the first element:

+ <EntityDescriptor wsu:Id="8e0d3ee9-0865-49c7-9c05-c8c64399757f" entityID="https://xxx.xxxx.com/Trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

Understanding what happens under the hood helps extremely in troubleshooting problems. When an SP (RP-STS) consumes an incoming SAMLResponse, it checks its policy store for a valid entity id, which then tells the token issuance service which certificate to validate the authenticity of the message by digital signature within the response or assertion sections of the SAML token.

However, in my scenario we never exchanged federation metadata other than manually providing parameters because the delivery method was IdP-initiated POST binding; therefore we had to prove the signature was bad. To do so, we basically wrote an application and published it as an RP to our IP-STS. The core functionality of signing an XML document can be referenced in Rebecca Croft’s blog, Apollo Jack using the System.Security.Cryptography namespace and System.Security.Cryptography.XML.

The SAMLResponse you consume can be displayed in a simple web form which you can write code to validate the SAML formatting and digital signature. The message will be encoded in Base64, therefore you’d need to decode it then check the signature.

To decode the message, you can use this method:

   1: public static String decodeMessage(string samlResponse)   2:         {             3:             byte[] encodedDataAsBytes = System.Convert.FromBase64String(samlResponse);   4:             string decodedSAMLResponse = System.Text.Encoding.UTF8.GetString(encodedDataAsBytes);   5:             return decodedSAMLResponse;   6:         }

To check a signature, you’d use the public key portion of the signing certificate and the SignedXml.CheckSignature method. From there, you can be insured your signing certificates should be validated on the RP side.

Troubleshooting the MSIS7012

2009-12-13T22:54:00.001-08:00

We’re currently Interop testing between various SAML 2.0 passive Relying Parties and Geneva Server (Beta2) with very positive results. The minor errors we have experienced have been with things administratively caused such as changing the signing tokens, etc. But hey, that is what QA is for…to work out all the issues. I thought I’d post some of the errors we’ve documented and what we did to fix them…

The first big issue we had was updated the signing token (default self-signed Geneva token) with the production certificates we got from VeriSign. The result, authentication to a working RP began to fail. The errors that Geneva reported where:

Microsoft.IdentityServer.Shared.WSFederation.RequestFailedException: MSIS7012: The request failed. Contact your administrator for details. ---> System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005ContractAsyncClientManager.IssueAsync(Message request) at Microsoft.IdentityServer.Shared.Protocols.WSTrust.WSTrustFeb2005Client.Issue(RequestSecurityToken rst) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, Boolean isIssuedToken, WSFederationMessage incomingMessage) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.BuildSignInResponse(WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at Microsoft.IdentityServer.Shared.WSFederation.WSFederationPassiveAuthentication.SignIn(HttpContext context, WSFederationPassiveContext federationPassiveContext, SecurityToken securityToken, Boolean isIssuedToken) at FaultHandlingWSFederationPassiveAuthentication.SignIn(SecurityToken token, Boolean isIssuedToken)

Because we’d exchanged metadata with this RP, we’d initially thought the polling schedule would update the policies which was not the case. Although authentication to the IDP was successful; an exception would be thrown soon after. Manually, updating the metadata on the IDP (ADFS) changed my error to the following:

Microsoft.IdentityServer.Shared.WSFederation.UnsupportedSamlRequestException: MSIS1006: The configured passive endpoint 'https://xxxxxx.com/FederationPassive/' is not a prefix of the SAML authentication request Destination URI 'https://xxxxxxx.com/FederationPassive/'. at Microsoft.IdentityServer.SamlProtocol.SamlProtocolAdapter.SamlAuthnRequestToRSTInternal(AuthenticationRequest samlAuthnRequest, SecurityTokenElement onBehalfOf, String passiveEndpoint) at Microsoft.IdentityServer.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Because we knew authentication successful; we could trace the problem to a faulty signature when processing the SAMLResponse by the consuming RP-STS. Asking the RP to manually update the federated metadata fixed the problems which updated them with my new signing certificate.

Visualizing WS-Federation and SAML Profiles

2009-12-13T19:24:00.001-08:00

SAML and WS-Federation within ADFSv2 may (or may not) introduce new concepts to the AD administrator. The immediate reaction may be, “I’m not a developer!” However, understanding the technology and how to implement it in the enterprise is no different than understanding Kerberos authentication protocols used by Active Directory. Travis Spencer published a very good slide deck which covers all the dance steps for both WS-Federation and SAML profiles. This is really good and helps visualize what happens behind all the federation acronyms and terms.

Animated Explanation of SAML

Implementing Single Sign-on with SalesForce.com

2009-12-04T02:34:00.001-08:00

Getting single sign-on to work with Salesforce.com is pretty straightforward. They support both SAML 1.1 and now 2.0 formats using IdP-initiated POST Bindings. ADFSv2 Beta 2 currently does not support IdP-initiated SSO; although, from what I’ve heard will in RTM. So do get this working, you can do this through a custom STS.

All SalesForce.com requires is the Username or Federation ID to be passed as an assertion within the SAML token. This can be presented in either the Subject or as an Attribute value. The simplest method is to do it through the subject. On the Saleforce.com side, the federation single sign-on using SAML settings should be:

SAML Enabled: yes
SAML User ID Type: Username
SAML User ID Location: Subject
SAML Version: 2.0
The public key of your Token Signing Certificate needs to be uploaded for validating token authenticity

Salesforce.com provides a validation tool to compare your generated SAML Response against the SSO settings on their server. This is pretty helpful in working through errors.

Getting a properly formatted SAML Response is probably the most important key for federated authentication to work. If there is something not standard or funky in the token, the STS that attempts to consume it will likely throw an error.

Below is a working SAML 2.0 token we’re using for Salesforce.com (note that I’ve removed my signature information):

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination=https://login.salesforce.com ID="fhlaclpimfkgkjpbdijjcjahbhbldojhekcojnog" IssueInstant="2009-12-04T09:52:35Z" Version="2.0"><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">……</Signature>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">mycompany.com</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="baofcgcmpmmekakjkkbomfbefcfdljgbkbdifohm" IssueInstant="2009-12-04T09:52:35Z" Version="2.0">
<saml:Issuer>mycompany.com</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">ccalderon@mycompany.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2009-12-05T09:52:35Z" Recipient=https://login.salesforce.com />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2009-12-04T01:52:22Z" NotOnOrAfter="2009-12-05T09:52:35Z">
<saml:AudienceRestriction>
<saml:Audience>https://saml.salesforce.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2009-12-04T09:52:35Z">
<saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="ssoStartPage" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://localhost/SalesForce.SSO/SSOLogin.aspx</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="logoutURL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">https://www.salesforce.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

Can ADFSv2 Beta2 work with ZXID?

2009-11-11T21:08:00.001-08:00

This week, we configured interoperability with an STS running ZXID for SP-initiated SSO. ZXID is an open source IdM for SAML SSO. It’s basically an Apache httpd auth module for SAML SSO. It uses pure SAML 2.0 and ID-WSF Web Services, and others language bindings supported through SWIG. More on the product can be found here and how it works:

OpenLiberty Secure Identity Web Service
Apache with mod_auth_saml Receipe

Thoughts? Pretty cool…

FIM RC1: Access to the requested resource(s) is denied

2009-10-16T10:30:00.001-07:00

A common attribute used in ILM projects is the “Employee Status” attribute. In RC1, this value does not exist for the user resource type within the portal. Additionally, there might be more attributes you need to create and associate with any resource type; therefore, after going through the procedures documented in the “Introduction to Schema Management” guide, you’ll probably experience the following error when exporting data from the FIM MA:

"failed-web-motification-error"

Type: Microsoft.ResourceManagement.WebServices.Client.PermissionDeniedException

Message: Access to the requested resource(s) is denied

Stack Trace:    at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.PerformUpdate()
   at Microsoft.ResourceManagement.WebServices.Client.UninitializedResource.Update()
   at MIIS.ManagementAgent.RavenMA.ExportObjectModification(DataSourceObject dsObject, SchemaManager schemaManager)
   at MIIS.ManagementAgent.RavenMA.Export(DataSourceObject dsObject)

As Joe mentions on the forums, in RC1 the default MPRs list explicit attribute values within the list of resource attributes versus just saying “All Attributes.” Any custom attribute needs to be added in order for the synchronization account to update them during an export procedure. To do so, just add the attribute to the “Synchronization: Synchronization account controls users it synchronizes” MRP. Not sure if this is relevant, but I had to cycle my FIM Service for it to apply immediately.

Automating MOSS 2007 installs

2009-09-16T22:23:00.001-07:00

Let’s build onto the process described in my last post. This time, let’s look at automating the setup of MOSS 2007. Here is a link which describes the process for “slipstreaming” the MOSS setup files with SP1; therefore, I’m going to skip that. Apparently, the Product Group has released a downloadable version also, so this might be useful for future service packs and updates.

Depending on where you want to go, if you still need to install SQL…you can bolt this process right on top of the unattended SQL installation procedure. For me, this comes in handy when re-building my farm(s) for development.

The pre-requisites for installing MOSS 2007 on Windows 2008 are to install the web server role w/ the IIS6 management components. You can do this by using servermanagercmd.exe with the –I switch + the [Web-WebServer] and [Web-Mgmt-Compat] components. For example:

servermanagercmd -i Web-WebServer

servermanagercmd -i Web-Mgmt-Compat

Assuming SQL is already provisioned and you have a slipstreamed install directory, you can proceed to setup a configuration file for setup. Be sure to install the pre-requisites, then you can proceed to use the /config [path and file name] switch to reference a Config.xml file to setup MOSS 2007. If you’ve slipstreamed your installation files with SP1, the updates will be applied during the installation. Here is the TechNet link on how to use the Config.xml for controlling installs or doing more advanced installations.

Below is a sample configuration file I use for simple farm installation, using the following syntax:

\\..\...\MOSS2007_FullSP1\x86Setup\setup.exe /config “config.xml”

- <Configuration>

- <Package Id="sts">

</Package>

- <Package Id="spswfe">

</Package>

</Configuration>

Automating SQL 2008 w/SP1 installs

2009-09-16T22:01:00.001-07:00

Building customer solutions can require the maintenance of many development environments; therefore, I’d rather not be spending my whole day doing watching the progress bar of some app install. In addition, each development environment may differ slightly in configuration; therefore I need the ability to just point and click for installs, yet I still need to provide the flexibility to change the installation configuration when needed. There are many ways to do this…I know folks that have built elaborate deployment tools that leverage either SQL or XML to get configurations; however here are some ideas for how I do things using syspreped VM images. This process can easily be packaged and integrated into a nice automated build process using something like SCCM.

Slipstreaming Source Installation Binaries: Installing prerequisite software is a pain, especially if you have to go back around and patch or apply a service pack. As a best practice, it is always best to build using the “most current” advertisements and patches. We all know, applying patches is something that won’t go away, however if I can reduce my deployment time by merging service packs (which always take long), I can make my process more efficient. Here is a post that provides the steps for slipstreaming SQL 2008 with SP1.

Creating a merged (slipstreamed) drop containing SQL 2008 + Service Pack 1

Unattended Installation: Unattended installations methods provide value from automation, in addition to insuring consistency in the configuration of a system. For example, say I’m deploying across many systems such as a web farm. I’d want the build automated versus going to each machine. SQL 2008 supports unattended installs by using a configuration file. This configuration file provides the ability to deploy SQL throughout the enterprise with the same configurations. Here is the MSDN link which covers installing SQL using configuration files.

How To: Create an installation directory to store the source installation files. Within that directory, you can store any pre-requisites. For example, mine is: \\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Soruce

Within the pre-requisites directory (\\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Pre-Req), I keep the following support files:

The installation directory (\\XXX.XXX.XXX.XXX\Source\SQLServer2008Ent_FullSP1\Setup) maintains:

Installation Files
Configuration File (ConfigurationFile.ini)

The following commands can be wrapped up into a batch file or installation package to be executed by the installation process.

dotnetfx35.exe /qb /norestart
NDP35SP1-KB958484-x86.exe /q /v /norestart
wusa Windows6.0-KB942288-v2-x86.msu /quiet (will require reboot)
setup.exe /SQLSVCPASSWORD="********" /AGTSVCPASSWORD="********" /ConfigurationFile="%Path to ConfigurationFile.INI%"

Transitioning to Geneva Framework and Server

2009-06-25T09:55:00.001-07:00

This week, I’m getting the opportunity to play catch-up and get my feet wet with Geneva. So far, it’s awesome because there is so much material already out! As soon as all my pre-reqs are installed, integration with VS 2008 immediately worked {Per DL “huh, a Beta product working” =-)}! Yep, the option to “Create a new STS project in the current solution” is pretty slick. Developers can begin building an application immediately without having to wait for the IT guy; therefore keeping everything within VS until time to deploy a build.

If you’ve already played with the federation stuff, I suggest watching Channel 9’s interview with Donovan Follette on making the shift from ADFS v1 to Geneva and Jan Alexander on the claims transformation language in Geneva Server Beta 2. Both address all the important things you need to know to get started such as the new concepts Geneva introduces and how they relate to the old concepts used in ADFS v1.

Check it out, the links to Channel 9 are above!

AD PowerShell Cmdlets & AD WebServices

2009-04-08T00:14:00.001-07:00

New features coming out for Windows Server 2008 R2 that I’m really interested in are the AD PowerShell Cmdlets and AD WebServices. This evening, I happened to stubble on PG’s blog, “Active Directory PowerShell Blog” which provided some valuable info on what’s coming soon! Of course, the first thing I did after reading a the first few posts is begin my download of R2 so I can begin playing with them myself. So much to learn, so little time…

Let me summarize what’s new:

Basically, the AD PsH cmdlets will immediately support 4 categories (Account, Topology, DS Object, Providers) for AD administration. Here is a link which breaks down the actual cmdlets. Just with what you see, you can bet there is a lot of opportunity for extensibility (or as they refer to it, “Advanced Functions!”

The next thing is the AD WebServices, which support both ADAM and AD upon installation.

Here is the link to their blog:

Active Directory PowerShell Blog

Using PowerShell and S.DS.AD to create Sites and Service objects

2009-03-07T17:02:00.001-08:00

System.DirectoryServices.ActiveDirectory (S.DS.AD) is a .NET namespace available for performing common tasks related to Active Directory Domain Services. S.DS.AD differs from S.DS in that it is a pure .NET interface which allows us to extend deeper into DS development. See S.DS.AD Scenarios here.

With PowerShell (PSH), we can leverage the classes in this namespace for common manual tasks that can be scripted. For example, in a migration scenario, managing AD sites and services can be time consuming to set up. Here are some functions I wrote which allow you to automate these process using PSH.

To do bulk creations of site objects, you would store your configuration in a CSV file and use them as parameters to each PSH function.

Say we need to 1. Create Sites, 2. Create Subnets, 3. Create SiteLinks, and 4. Configure our SiteLinks. Using Excel, you can create 4 CSV source files for each task, then use the Import-CSV and ForEach-Object cmdlets to call each function for each record.

For example:

Import-Csv C:\importFile.csv ForEach-Object {Create-Site $_.SiteName}
Import-Csv C:\importSubnets.txt ForEach-Object {Create-SubNet $_.SubNet $_.SiteName}
Import-Csv C:\importSiteLinks.txt ForEach-Object {Create-SiteLink $_.SiteLinkName $_.Site $_.Cost $_.Interval}

Here are the PSH functions:

Creating AD Sites

Function Create-Site{Param ($siteName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySite($contextType,$siteName)
$site.Options = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteOptions]::GroupMembershipCachingEnabled
$site.Save()
Write-Host "Creating site object $siteName..." }

Creating AD Subnets

Function Create-SubNet{Param($subNetName,$siteName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType, $siteName)
$subnet = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySubnet($contextType,$subNetName,$site)
$subnet.Save()
Write-Host "Creating subnet object $subNetName..." }

Creating AD SiteLinks

Function Create-SiteLink{Param($siteLinkName,$siteName,$siteCost,$repInterval)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$trans = [System.DirectoryServices.ActiveDirectory.ActiveDirectoryTransportType]::Rpc
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType,$siteName)
$link = New-Object System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteLink($contextType,$siteLinkName,$trans)
$link.Cost = $siteCost
$link.ReplicationInterval = $repInterval
$d = $link.Sites.Add($site)
$link.Save()
Write-Host "Creating siteLink object $siteLinkName..." }

Adding Sites to a SiteLink

Function Add-SitetoSiteLink{Param($siteName,$siteLinkName)
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"forest"
$contextType = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type,$forest)
$site = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::FindByName($contextType,$siteName)
$link = [System.DirectoryServices.ActiveDirectory.ActiveDirectorySiteLink]::FindByName($contextTye,$siteLinkName)
$link.Sites.Add($site)
$link.Save() }

Installing ADAM on Vista SP1

2008-12-17T11:24:00.001-08:00

To date, Microsoft still hasn’t released an ADAM build for Vista. We’ve since had to hack our way to get ADAM installed; however, the release of Vista SP1 presented a new set of obstacles. Basically what you’ll see is an “Entry Point Not Found” error which references the VSSAPI.DLL. In order to overcome this, you just copy the older version of the VSSAPI.DLL into the ADAM directory on your Vista machine (Thanks siudyda.com for the post).

Here are the steps to get ADAM installed on an Vista SP1 build:

Install ADAM on a non-Vista machine.
Copy the %WINDIR%\ADAM folder from your non-Vista machine to the same location on your Vista machine.
Create a new registry key HKLM\Software\Microsoft\Windows\CurrentVersion\ADAM_Shared. Under this key, create a new Multi-String value named “SharedFolders”.
Run the adaminstall.exe from the %WINDIR%\ADAM directory. Do not import any LDIF files. Note: if you experience the error mentioned above, just copy the older version of VSSAPI.DLL into your ADAM directory.
Complete the wizard and you should have a fully functional ADAM instance. All you need to do is import the LDIF files you want to design your schema.

Invalid DN Syntax when creating new object classes in ADAM

2008-10-04T11:45:00.001-07:00

When recreating an ADAM directory for a project that uses custom object classes, I ran into a problem attempting to import my schema using Ldifde.exe using the following command line:

“ldifde -i -u -f export_prod_schema.ldf -s server:port -b username domain password -j . -c "cn=Configuration,dc=X" #configurationNamingContext”

Below is the error my logfile reported:

Entry DN: cn=xxxxx,cn=Schema,#configurationNamingContext

Add error on line 15: Invalid DN Syntax

The server side error is "The object name has bad syntax."

An error has occurred in the program

The problem was actually in Ldifde.exe itself. Apparently, the version of Ldifde.exe from the system32 directory does not support #macros. You have to use the version provided with the ADAM (%windir%\ADAM) installation.

Thanks to Dmitri Garilov for posting this in the news group.

Reminder: C# character escape sequences

2008-09-24T21:09:00.001-07:00

C# defines the following character escape sequences:

\' - single quote, needed for character literals
\" - double quote, needed for string literals
\\ - backslash
\0 - Unicode character 0
\a - Alert (character 7)
\b - Backspace (character 8)
\f - Form feed (character 12)
\n - New line (character 10)
\r - Carriage return (character 13)
\t - Horizontal tab (character 9)
\v - Vertical quote (character 11)
\uxxxx - Unicode escape sequence for character with hex value xxxx
\xn[n][n][n] - Unicode escape sequence for character with hex value nnnn (variable length version of \uxxxx)
\Uxxxxxxxx - Unicode escape sequence for character with hex value xxxxxxxx (for generating surrogates)

Of these, \a, \f, \v, \x and \U are rarely used in my experience.

link to original post

ADFS and MySites - Enabling MySites with the Web Single Sign-On (SSO) authentication provider

2008-09-04T15:38:00.001-07:00

There have been few online questions regarding enabling MySites interoperability with ADFS. To answer the question if it’s possible, yes.

The process is actually very simple and similar to configuring forms based auth in MOSS 2007.

So it’s probably safe to assume, by this time you’ve already completed the step-by-step guide for enabling MOSS 2007 as a claims aware application; therefore this post is a walkthrough on how to configure the Web Single Sign-On authentication to interoperate with MySites.

Assuming you already have a functional claims-aware instance of MOSS 2007 configured, when logged in as a federated user you should see that the MySites link is missing. The reason for that is MySites is tied to the Shared Service Provider which has not yet been extended to use the Web Single Sign-On (SSO) authentication provider.

In order for federated users to have access to MySites, Web Single Sign-On needs to be configured to interoperate with My Site applications.

For simplicity sake, this walkthrough assumes the MySites collection is within the same web application of the site to which they are associated. For example, https://<sharepointserver>/mysites. The recommended design from Microsoft is to have MySites as its own web application and managed independently. I’m lazy and only have a VM to prove my point, so here it is. Recommended designs for MySites should be referenced in the best practice documentation in TechNet.

Within Central Admin:

1. When first configuring your Shared Service Provider, you probably configured it under the Default zone with NTLM authentication. Extend the SSP web application to use an additional authentication provider and assign it to the Custom or Extranet) zone. (Note: Zones identify the logical separation of access restrictions to the same content.) Be sure to include the details such as port number where the new application will be hosted in and choosing the zone that this extended Web application will reside under. In my case, I extended the web application under my existing federated URL, http://extranet.treyresearch.com:<port>.

2. Configure the authentication provider of this extended web application for Web Single Sign-on (SSO). Be sure to specify the Membership Provider Name as [SingleSignOnMembershipProvider2] and Role Manager Name as [SingleSignOnRoleProvider2].

3. At this point, add a provider section to the Web.config of the extended Web application. This would virtual directory for the SSP (C:\Inetpub\wwwroot\wss\VirtualDirectories\<port number of SSP>. The following snippet should be copied and pasted under the <system.web> node within the web.config.

<membership>

<providers>

<add name="SingleSignOnMembershipProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fs.treyresearch.com/adfs/fs/federationserverservice.asmx" />

</providers>

</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

<providers>

<remove name="AspNetSqlRoleProvider" />

<add name="SingleSignOnRoleProvider2" type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fs="https://fsserver/adfs/fs/federationserverservice.asmx" />

</providers>

</roleManager>

Be sure to update the <fsserver> name to reflect the web service URL of the federation server. Do an “iisreset” for the configuration to take place.
4. When you’ve completed this task, the People Picker should be able to resolve organizational claims for this web application using the SingleSignOnMembershipProvider2 membership provider.

5. Assign your federated users Personalization services permissions. Do this by browsing the SSP Admin Site: <ssp name> User Profiles and My Sites Personalization service permissions. Using the Add Users/Group link you can enter the name of your organizational claims representing your portal users. Hit the Check Names button and watch the name resolve.
Grant the following rights to the users, (1) Create personal site and (2) Use personal features.

6. The next step is to grant federated users permissions to the MySites Host. Within the SSP Admin site, navigate to SSP Admin Site: <ssp name> User Profiles and My Sites My Site settings, then within View All Site Content My Site Host Permissions.

7. Add your organizational claim that represents your federated users. You actually create a claim that defines the various types of users and set their rights here. For example, Portal Admins and Portal Users.

8. Typically you wouldn’t want to assign other users Read permissions to other users to view public areas of MySites. The default behavior grants NT AUTHORITY\authenticated users to read other users MySites. You have to grant the organizational claim representing your federated users here. Browse to your SSP Admin Site, SSP Admin Site: <ssp name> User Profiles and My Sites My Site settings. Within the Default Readers Site Group, add the organizational claim here.

9. Now test the configuration from the client computer within the account partner. Browse to https:/extranet.treyresearch.com which should authenticate you through the federated trust. The first thing you should notice is that the MySites link is now available.

10. When you click it, your site is created!

SharePoint and ILM integration

2008-06-06T13:55:00.001-07:00

As more and more companies standardize intranet/extranet portal platforms onto SharePoint 2007 (MOSS 2007), the need to integrate identity-related needs will be asked of the ILM Administrator. It makes sense...MOSS 2007 is the front-end for business communication, web-based collaboration, information-sharing, and workflow capabilities. As many already know, ILM2 will have a WSS front-end; therefore tying it's built-in functionality into your existing intranet is a no brainer...

Just in case you hadn't seen this, Alex Tcherniakhovski has something that may provide you insight for integration (or at least give you a base to work with). At most, these should provide a good template for creating an XMA that leverages one of the out-of-box (or custom) web services from MOSS 2007.

Connecting ILM 2007 with SharePoint Service Lists

Below is a brief rundown of the Web services that a MOSS 2007 makes available out of the box:

http://server:5966/_vti_adm/Admin.asmx - Administrative methods such as creating and deleting sites
http://server/_vti_bin/Alerts.asmx - Methods for working with alerts
http://server/_vti_bin/DspSts.asmx - Methods for retrieving schemas and data
http://server/_vti_bin/DWS.asmx - Methods for working with Document Workspaces
http://server/_vti_bin/Forms.asmx - Methods for working with user interface forms
http://server/_vti_bin/Imaging.asmx - Methods for working with picture libraries
http://server/_vti_bin/Lists.asmx - Methods for working with lists
http://server/_vti_bin/Meetings.asmx - Methods for working with Meeting Workspaces
http://server/_vti_bin/Permissions.asmx - Methods for working with SharePoint Services security
http://server/_vti_bin/SiteData.asmx - Methods used by Windows SharePoint Portal Server
http://server/_vti_bin/Sites.asmx - Contains a single method to retrieve site templates
http://server/_vti_bin/UserGroup.asmx - Methods for working with users and groups
http://server/_vti_bin/versions.asmx - Methods for working with file versions
http://server/_vti_bin/Views.asmx - Methods for working with views of lists
http://server/_vti_bin/WebPartPages.asmx - Methods for working with Web Parts
http://server/_vti_bin/Webs.asmx - Methods for working with sites and subsites

Password Sync using the SAP ERP MA

2008-03-12T01:56:00.001-07:00

Does the Microsoft ERP MA from Microsoft support password synchronization? My immediate answer is yes, however there are a few things you need to consider. Most of all, the reason for this is that the documentation is pretty cryptic in itself and unless you are on a SAP project or have a development environment available, being able to test this yourself can be challenging.

According to the ERP MA README.htm, only "administrative password reset" operations are supported. Now, referencing the PCNS technical material, I found the definition as follows:

"An automated password synchronization solution in ILM allows users to change their passwords in all connected data sources that are configured for automated password synchronization. Typically, users can press CTRL+ALT+DEL on the keyboards to initiate a password change.

This is a password change operation, not a password set or reset operation. For a password change operation, a user must know the previous password when attempting to change passwords. For a password set or reset operation to occur, a user does not have to know the previous password to set or reset the password to a different value. The automated password synchronization solution is a password change operation because users know the previous password."

Well, this is a question that comes up a lot and this post should provide you with an idea of how to sync passwords between SAP and AD. An article I'd like to credit is the thread between Markus and Peter regarding this topic. Here Peter talks on a method similar to what I've run into.

My experience is initially, it seemed like password synchronization would work out-of-box; however an issue I ran into was that whenever a system administrator assigns a new password to users, the new password is marked as "initial." Users have to change their initial passwords at first logon. Apparently, I though you could simply just turn this option off. According to the SAP Knowledge Warehouse, you have to modify the SAP User Management Engine (UME) properties using their Config Tool. (Your SAP Admin should be familiar with this and provide feedback.) The setting you modify is the ume.logon.security_policy.password_change_required to reflect, False (not to require a password change at first logon). Well, the final solution resulted in creating a new SAP BAPI, similar to what Peter did. (Thanks Franciso Corona for confirming!) From there, as long as the password policies aren't conflicting each other, you should be good.

Other obstacles I’ve run into that have prevented me from syncing passwords are the policy limitations applied in SAP. Depending on version, the following rules may apply:

Passwords must be 3-8 characters long.
Passwords cannot begin with 3 identical letters
Passwords cannot begin with a “?” or a “!” or a space.
Passwords cannot be identical as the previous passwords used
Passwords cannot be “SAP” or “Pass”
Passwords cannot begin with the first letters of your name.

Most typically, by leverage AD as an authentication provider, this would get you the closest to achieving true single sign-on; however we understand that isn’t the case in many scenarios.

If you are running SAP on Windows, SAP GUI can be configured to authenticate against AD (including Kerberos SSO without any 3^rd party vendors). This does not apply to UNIX; here you would need something like Centrify.

If you are just using SAP Enterprise Portal and IViews, SAP Portal can be configured to authenticate against AD or ADAM.

Understanding the inner workings of SAP from MIIS (ILM) Perspective

2007-12-14T01:48:00.001-08:00

The past few posts, I’ve really concentrated on the Microsoft ERP MA for SAP integration. Although my world revolves around identity management, a huge piece of that I spend on integration of systems throughout the enterprise that do not share a common platform. One of which is SAP. By no means would I consider myself an SAP Consultant; however the need to understand the inner-workings of foreign systems only makes my job that much easier. Surprisingly, SAP is one of those systems we find customers having difficulties integrating into different connected data sources all around the enterprise.

This post will further concentrate on key components of SAP; most typically how SAP communicates to the outside world. From here, you can better understand how to achieve proper integration.

The first thing is to understand some key concepts of SAP. SAP talks through various Business Application Programming Interfaces also known as BAPIs. These interfaces are object-oriented methods which are the data-handling mechanisms used in SAP Systems. Knowledge of how to instantiate these objects are the most powerful tool in an SAP consultant’s arsenal. BAPIs are business objects similar to transactional records, master records, or datasets. They are most used when calling data in and out of SAP. Although out of the box, there are several hundred BAPIs available for use; they can also be customized to fit any business need required.

Another key concept to BAPIs and most often confused are IDocs. IDocs are data transports and are about moving data between systems and modules within SAP. Ultimately, BAPIs are the mechanisms for getting data in and out of SAP; therefore when integrating SAP with MIIS, you will be invoking or passing parameters to BAPIs to retrieve any type of data.

Remote Function Calls (or RFCs) are function modules that are called within a BAPI. They relate to each other as a BAPI is a business object; whereas an RFC is the functional code.

A perfect example of what happens is, (A) you call a BAPI, then (B) pass parameters to invoke RFCs.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 3

2007-12-06T00:36:00.000-08:00

In my previous post, I provided an overview of how we communicate within .NET to SAP Systems. Now, let’s take a look at how this relates to ILM (MIIS). The ERP MA provides a tool called to build the connector space. (Yes, you must build out your connector space by (1) defining the schema of attributes and (2) declaring what BAPIs to invoke and where (add, replace, delete, setpassword). This is accomplished through the ERP Configuration Tool. The document recommends using the provided template files to get started; however in my experience they were much harder to customize. IMHO it was much easier to build my connector space from scratch.

Once you’ve completed, you can create the SAP MA which to do so, you need to input the XML configuration file that is created by the ECT. You should then be able to see the entire attribute list with all the normal functions of any other management agent.

How do my previous posts relate to where we are now; well here is how the MA works.

Building the ERP MA configuration file using the ECT; the configuration of the MA is performed by discovering the SAP environment using the SAP connector for Microsoft .NET 2.0 and generating an XML. This essentially discovers all the BAPIs and stores them in a local cache file.
Configuration UI communicates with SAP to discover the BAPIs and other configuration for display.
XML configuration, proxy assemblies and schema definition file generated by the UI. You are building out your connector space.
Creation of the MA happens in MIIS and consumes schema file which MIIS uses to synchronize with SAP.
ERP MA SAP assembly consumes XML configuration and proxy assemblies at run time provides wrapper to RFC calls directly to SAP Server
The diagram below (provided from the CHM) details what happens under the covers.

Now that you understand the process for communication, you can now proceed to determine what to do with the data you import/export. Key things to understand when using the Microsoft ERP MA are the following:

***Understand the process of Alias and Alias-referencing. That is the core of how the MA works.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 2

2007-12-04T22:00:00.001-08:00

In part of my last post, here we should do an overview of the SAP .NET Connector. Essentially, it is a programming environment inside of Visual Studio that enables us to communicate between the .NET platform and SAP Systems. Communication is facilitated through proxy classes which call and/or invoke BAPI functions in SAP. The connector support both SAP RFCs and Web Services which allow you to write various applications using any .NET language. Pretty straight forward, huh?

Anyhow, the connector is made up of several parts. As I mentioned, first it’s pretty tightly integrated with Visual Studio for generating SAP proxies. The proxies are used to call BAPI functions through either the SAP RFC protocol (librfc32.dll) or via SOAP. Do note, per the documentation...Release 4.6D does not have SOAP support while systems starting from 6.20 can use either. At the moment, the most current version of the connector is built for .NET 2.0 (SAP Connector for Microsoft .NET 2.0). Additional dlls that are part of the assembly is the SAP.Connector.Rfc.dll and LibRfc.dll. (LIBRFC32.dll, is in Release 6.20 and higher). The diagram below, details the runtime architecture and how communication is facilitated using the .NET Connector.

ILM (MIIS) and the Microsoft ERP Management Agent - Part 1

2007-12-04T01:01:00.001-08:00

In my current project, I’ve had the opportunity to work with the Microsoft ERP Management Agent for SAP. As many already know, SAP is a huge applications and a common connected data source which in most (or some) cases acts as the authoritative source for HR related data. MIIS can be used to facilitate or broker identity data and identity management related tasks to and from this connected data source and to many others. In my opinion, MIIS and SAP integrate very well which I thought I’d write about how MIIS connects to SAP to synchronize identity data to and from the connector space. From here, I hope you can get a better understanding on how to integrate SAP into your existing MIIS environment.

Prior to the release of the ERP MA by Microsoft, MIIS developers connected to SAP systems by custom XMAs using the SAP .NET Connector. For example, Oxford Computer Group had developed a management agent for SAP which has been proven successfully in many environments way before the Microsoft ERP MA was even released. Regardless, here is how connectivity is accomplished using the ERP MA from Microsoft.

Before I start, the Microsoft ERP Management Agent can be downloaded from the following link or obtained within the ILM 2007 FR1 installation media.

Microsoft Enterprise Resource Planning Management Agent for SAP

The base requirements for this management agent are:

Microsoft Identity Integration Server 2003 SP2 or ILM 2007
The SAP .NET Connector 2.0
Microsoft .NET Framework, version 1.1 or higher

In order to connect to SAP, you should first understand some concepts of SAP.

BAPI (Business Application Programming Interface) – a function that performs a specific operation inside the SAP environment
InfoTypes – structures used as parameters to BAPIs
RFC (Remote Function Calls) – a method for accessing a BAPI from another computer via the network
SAP Connector for Microsoft .NET 2.0 – a managed component from SAP that enables RFC to BAPIs in a SAP application server

It’s pretty late now, so in my next part I will write more details on how the SAP .NET Connector works and how it relates to MIIS and the ERP MA.

ERP MA bug in ILM 2007 FP1

2007-11-27T21:35:00.001-08:00

Apparently there is a known bug in the ERP MA for SAP that comes with ILM 2007 FP1. This bug prevents you from configuring the outbound flow of an anchor attribute. When mapping an attribute to csobject.anchor, this prevents you from setting the flag which defines this attribute as an identity for the object and prevents you from exporting when invoking a BAPI that needs the reference.

Microsoft is aware of the bug which might be fixed next week; however the expectation should be assumed for mid-January.

So far, I’ve still using the version of the MA downloadable from the following link which is working fine.